From: "Michael D Kinney" <michael.d.kinney@intel.com>
To: Pedro Falcato <pedro.falcato@gmail.com>,
"devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: "Vitaly Cheptsov" <vit9696@protonmail.com>,
"Marvin Häuser" <mhaeuser@posteo.de>,
"Gao, Liming" <gaoliming@byosoft.com.cn>,
"Liu, Zhiguang" <zhiguang.liu@intel.com>,
"Yao, Jiewen" <jiewen.yao@intel.com>
Subject: Re: [PATCH v2 1/1] MdePkg/BaseLib: Fix out-of-bounds reads in SafeString
Date: Tue, 25 Oct 2022 16:22:33 +0000 [thread overview]
Message-ID: <CO1PR11MB4929A1D3EAE96A2D31B61EB0D2319@CO1PR11MB4929.namprd11.prod.outlook.com> (raw)
In-Reply-To: <20221024224324.26540-1-pedro.falcato@gmail.com>
Adding Jiewen Yao.
Mike
> -----Original Message-----
> From: Pedro Falcato <pedro.falcato@gmail.com>
> Sent: Monday, October 24, 2022 3:43 PM
> To: devel@edk2.groups.io
> Cc: Pedro Falcato <pedro.falcato@gmail.com>; Vitaly Cheptsov <vit9696@protonmail.com>; Marvin Häuser <mhaeuser@posteo.de>;
> Kinney, Michael D <michael.d.kinney@intel.com>; Gao, Liming <gaoliming@byosoft.com.cn>; Liu, Zhiguang <zhiguang.liu@intel.com>
> Subject: [PATCH v2 1/1] MdePkg/BaseLib: Fix out-of-bounds reads in SafeString
>
> OpenCore folks established an ASAN-equipped project to fuzz Ext4Dxe,
> which was able to catch these (mostly harmless) issues.
>
> Signed-off-by: Pedro Falcato <pedro.falcato@gmail.com>
> Cc: Vitaly Cheptsov <vit9696@protonmail.com>
> Cc: Marvin Häuser <mhaeuser@posteo.de>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> Cc: Zhiguang Liu <zhiguang.liu@intel.com>
> ---
> MdePkg/Library/BaseLib/SafeString.c | 24 ++++++++++++++++++++----
> 1 file changed, 20 insertions(+), 4 deletions(-)
>
> diff --git a/MdePkg/Library/BaseLib/SafeString.c b/MdePkg/Library/BaseLib/SafeString.c
> index f338a32a3a41..77a2585ad56d 100644
> --- a/MdePkg/Library/BaseLib/SafeString.c
> +++ b/MdePkg/Library/BaseLib/SafeString.c
> @@ -863,6 +863,9 @@ StrHexToUintnS (
> OUT UINTN *Data
> )
> {
> + BOOLEAN FoundLeadingZero;
> +
> + FoundLeadingZero = FALSE;
> ASSERT (((UINTN)String & BIT0) == 0);
>
> //
> @@ -893,11 +896,12 @@ StrHexToUintnS (
> // Ignore leading Zeros after the spaces
> //
> while (*String == L'0') {
> + FoundLeadingZero = TRUE;
> String++;
> }
>
> if (CharToUpper (*String) == L'X') {
> - if (*(String - 1) != L'0') {
> + if (!FoundLeadingZero) {
> *Data = 0;
> return RETURN_SUCCESS;
> }
> @@ -992,6 +996,9 @@ StrHexToUint64S (
> OUT UINT64 *Data
> )
> {
> + BOOLEAN FoundLeadingZero;
> +
> + FoundLeadingZero = FALSE;
> ASSERT (((UINTN)String & BIT0) == 0);
>
> //
> @@ -1022,11 +1029,12 @@ StrHexToUint64S (
> // Ignore leading Zeros after the spaces
> //
> while (*String == L'0') {
> + FoundLeadingZero = TRUE;
> String++;
> }
>
> if (CharToUpper (*String) == L'X') {
> - if (*(String - 1) != L'0') {
> + if (!FoundLeadingZero) {
> *Data = 0;
> return RETURN_SUCCESS;
> }
> @@ -2393,6 +2401,9 @@ AsciiStrHexToUintnS (
> OUT UINTN *Data
> )
> {
> + BOOLEAN FoundLeadingZero;
> +
> + FoundLeadingZero = FALSE;
> //
> // 1. Neither String nor Data shall be a null pointer.
> //
> @@ -2421,11 +2432,12 @@ AsciiStrHexToUintnS (
> // Ignore leading Zeros after the spaces
> //
> while (*String == '0') {
> + FoundLeadingZero = TRUE;
> String++;
> }
>
> if (AsciiCharToUpper (*String) == 'X') {
> - if (*(String - 1) != '0') {
> + if (!FoundLeadingZero) {
> *Data = 0;
> return RETURN_SUCCESS;
> }
> @@ -2517,6 +2529,9 @@ AsciiStrHexToUint64S (
> OUT UINT64 *Data
> )
> {
> + BOOLEAN FoundLeadingZero;
> +
> + FoundLeadingZero = FALSE;
> //
> // 1. Neither String nor Data shall be a null pointer.
> //
> @@ -2545,11 +2560,12 @@ AsciiStrHexToUint64S (
> // Ignore leading Zeros after the spaces
> //
> while (*String == '0') {
> + FoundLeadingZero = TRUE;
> String++;
> }
>
> if (AsciiCharToUpper (*String) == 'X') {
> - if (*(String - 1) != '0') {
> + if (!FoundLeadingZero) {
> *Data = 0;
> return RETURN_SUCCESS;
> }
> --
> 2.38.1
next prev parent reply other threads:[~2022-10-25 16:22 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-24 22:43 [PATCH v2 1/1] MdePkg/BaseLib: Fix out-of-bounds reads in SafeString Pedro Falcato
2022-10-25 16:22 ` Michael D Kinney [this message]
2022-10-26 13:34 ` Yao, Jiewen
2022-10-26 13:41 ` Marvin Häuser
2022-10-26 15:54 ` Michael D Kinney
2022-11-02 23:42 ` Pedro Falcato
2022-11-03 1:00 ` 回复: " gaoliming
2022-11-03 1:13 ` Pedro Falcato
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CO1PR11MB4929A1D3EAE96A2D31B61EB0D2319@CO1PR11MB4929.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox